 Thank you all for joining us this morning. My name is Ben Wisner. I'm the director of the ACLU's speech, privacy and technology project. We're really thrilled to be here and very flattered that so many of you have turned out to see this panel. The topic that we're going to address this morning, location tracking, is something that the people in this audience have known about for many years but that the rest of the country is just now waking up to. We are in a constitutional moment for location tracking. This year, a unanimous Supreme Court held that when the police put a GPS device on a car and track a driver's location over a prolonged period, that that's a search under the Fourth Amendment. They had never held that before. But we all know that the police do that perhaps a few thousand times a year. At the same time, law enforcement gets millions of records per year of mobile device location data. And there's a very different legal standard that governs that. And we'll discuss that this morning. Still, the Supreme Court's decision was very significant and it opens up the possibility for further reform. There was a critical moment in that Supreme Court oral argument when Chief Justice John Roberts asked the lawyer representing the United States, is it your argument that you could put GPS devices on the cars of the nine justices of the Supreme Court, track our movement over a prolonged period and the Constitution has nothing to say about it. After some hemming and hawing, the government lawyer said effectively, well, yes, that would be no different than putting teams of FBI agents to track your movements over long periods of time. That was the wrong answer. But I think it illuminates an important point. Only when the Supreme Court justices were made to feel that they had a little bit of skin in the game, did they begin to think in depth about the dimensions of the law enforcement authority at issue. Our job and what we hope to continue doing today is to let the rest of the country know that they also have skin in the game. And I don't think there are any three people in the country who have done more to spread awareness of this issue than the three people on this panel. Ashkan Sultani and Chris Segoyan are the leading public interest technologies in the United States. They have both worked for the FTC. They both appear frequently in the media. Ashkan has testified before Congress. Chris has been called by Wired Magazine, the Ralph Nader of the Internet. And more importantly, for our purposes, I'm happy to announce today that beginning in September, Chris Segoyan will be the ACLU's first principal technologist and senior policy analyst. So we're happy to welcome him to the ACLU. Ashkan was the primary technologist for the Wall Street Journal's very influential series, What They Know About Internet Privacy and Online Tracking. All the way to my left is my colleague, Catherine Crump, who has litigated these issues and, more importantly, coordinated a nationwide effort of filing Public Records Act requests in almost every state to get information about how local law enforcement agencies were obtaining cell phone, mobile phone, location data. And it resulted in a front page article in the New York Times that showed that very widely disparate legal standards are being used here. And that there is a need for uniformity and more protection. And I think as a result of Catherine's efforts, we now see bills and state legislatures and it has added momentum to congressional reform efforts. I am mostly going to stay out of the way during this discussion and leave it to the experts. Each one of them will make a presentation. We'll probably speak amongst ourselves for a while. I'm sorry there isn't a microphone for people to congregate at to ask questions, but we absolutely will take questions. People will just need to come to the front when I give the signal and we'll repeat the questions for everybody. So let me turn it over to Ashka. Or you can shout and we'll try to do our best. So hey everyone, thanks for coming. I'm going to speak briefly about technologies related to surveillance and location tracking. Much of what I'm going to talk about is likely stuff you've already heard and seen. I'm just going to try to kind of summarize the state of affairs and then hand over to my colleagues to discuss the prevalence of collection of this information as well as the legal protections you might have around some of this information. And so our talk is called can you track me now? So the focus of my section is going to be basically about these devices, these mobile phones. Everyone's probably got one in this room and everyone also knows that they're no longer phones, right? These are simply many computers that have a Linux stack. They're different from computers and that they're small and they're also very different than your computers, except for this crowd, but for most people that you carry them everywhere with you, right? And they carry a bunch of sensitive data on them, your address book, your photos, your contacts, etc. What's also interesting, a little bit different from your computer is that there's a lot of players involved in bringing you your device, right? So you have the hardware manufacturer, you know, this is HTC Samsung, these folks. You have the carrier, the AT&T Verizon's sprints of the world. You have the platform developer, right? The Apple's, the Google's, the Motorola's that build the operating system on the phone, Windows if you consider a platform developer. The app developer, which is like the people that run the apps and then a bunch of like third party software, like analytics software, ad software that kind of enables the ads on your system or enables app developers to see who's downloaded what apps, etc. And each one of these players has some ability to access your data, some ability to expose you to unintended risk, and some ability to kind of hand over this data to law enforcement. And I think that creates a really interesting and complicated liability space of, you know, who's responsible to protect your security and privacy on these devices. And it kind of creates this feeding frenzy for law enforcement or whoever else are for attackers that want access to this data. And I think that's kind of one of the biggest challenges we see in this ecosystem. For the purpose of this talk, we're going to talk about location, right? But location can mean a great number of things, right? We, you know, on the left is my GPS based location. On the right is my location based on Wi-Fi access points, right? So just triangulating what your nearest Wi-Fi AP is. You can do IP based location. So this is just simply my location based on IP address with some resolution block level, depending on, you know, the service you're using. And you can also reveal, you know, depending on the purpose of the query, you could reveal location based on, you know, your language pack that you have on your browser or, you know, the type of search queries you do, right? For, depending on what you're trying to get after, your location information can be inferred or intuited a bunch of different ways. There's a series of attacks to get your location information, right? So we, you know, everyone remembers maybe this from about a year ago or two years ago where the iPhone was logging your information for caching of Wi-Fi access points. And so the end result was for the life of your device, you would have this log of your past location available on the device, right? So for anyone who wanted to access that, they could map your activity across the past two years, right? You also have a lot of other data stored on the device like, you know, photos, kind of search queries, this kind of stuff that would also reveal your information. This is some work by Nicholas Sariat from a few years ago showing that the cached areas of the iPhone would actually reveal your location to other apps, right? So other apps could know, kind of look at your photos and look at the geotag information in those photos and determine where you are, right? And there's a ton of like local attacks to get, kind of, whereby insecure storage of information will reveal data about you, including your location. And why this is of concern is, you know, ACLU did some great work showing that there's devices out there that can just, that law enforcement or whoever else can connect to your phone and just mirror your phone like a hard drive and get all this information. So if I want to know whether you were present in California at some point in time, if I have access to your device on you, I can use that as evidence and bring a case against you based on that evidence. And I'm not going to speak on the legal side, but Catherine will definitely talk about that. You also can get stuff like Trojans on your device that actually are used to track your location, either access the device and upload data that's based on the device or in real time track your location on the device. And this is some information about CPAP, which was a FBI, kind of, root kit that they could install on computers, but there's no reason to think that this isn't present on your mobile phones as well. And one of the kind of interesting bits of mobile phones is that the carriers or, you know, on Android phones, Google themselves can push apps to your phone, right? So I don't know if you've noticed, but you can go to the App Store, your browser, and then all of a sudden your phone is downloading an app and installing an app or installing an update. Another researcher about a year ago demonstrated that that channel itself is actually not secure as well, so he could force on the wire your phone to download apps or push apps to your phone. So there's a lot of other ways to get either root kits on your phone or force, kind of, upload of information that's stored on your phone as well. And so some of you may say, well, you practice good opsec and you encrypt your phone. Well, you know, there'll be a talk later today about whether law enforcement can actually ask you to decrypt your phone, so ask you for your password to access the data that's stored on your phone. There's also good evidence to, and I think Chris will probably talk about where law enforcement can just ask Google or Apple to unlock the phone for them, right? So they can either kind of remotely unlock your phone or send the device to unlock your phone for the purpose of law enforcement with a subpoena. So those are all the local attacks, right? And so there's network attacks as well, so as I said, just the use of your device on a network will reveal to the network your location. So there's cell phone triangulation, obviously. This was some work by, how do you say his name? Matze? Matze Spitz? Matze Spitz. He basically, the equivalent of a FOIA, or basically an information request from his network provider for location information, for his personal location information, and he mapped it. He did a great job mapping a visualization of his location history. You may want to mention, so this Malta Spitz is a German politician. So this German politician called up T-Mobile, actually wrote a letter to T-Mobile and said, I want every bit of data that you have about me. I want to know everything you've kept and the information that T-Mobile after several months and not initially wanting to hand it over revealed that in fact they keep vast amounts of historical location data. This is obviously a German politician, so this is in Germany, and it's not clear that most people can get this, but Malta's data set sort of was very eye opening for many people. Yeah, and so what it demonstrates is that your ISP or your carrier will have your historical location information based on cell phone tower data for quite a lot of, you know, for some period of time. The length of retention varies from six months to two years depending on a carrier, but if I want to know where you've been, or if I want to get a perspective location track on you, the ISP or the carrier is a good place to go. And Chris will talk about I think the prevalence of how often they hand over this data. But it's not just your carrier that has this data, right? There's lots of companies that, for example, let you install GSM antennas in malls and in other spaces to track your location through the mall, right? So this is not your carrier, this is simply based on the beacon your phone sends as it's trying to negotiate with the cell tower. And so these things will just record your MZ or your TMZ and track your location in a mall and provide a heat map. Now this information is useful for the malls to know what Victoria's secret underwear you look at, but it's also useful if someone wants to know whether you were present at that mall at some point in time. And it's not just over GSM, there's a company called Euclid that a few companies now that do things like Bluetooth emanations or Wi-Fi emanations, right? So if you're using Bluetooth or even sending a beacon for some reason, they will monitor activity and tell stores. And it's not this isn't like future high tech stuff that like only large malls. This is Euclid is in use in San Francisco at a lot like a bunch of coffee shops, right? It's $200 a month to sign up for this thing and they'll just drop a box at your store and just record people's Wi-Fi MAC addresses as they come to the store, right? And so just by using the network or just having your phone on you're now leaving a trace both to the carrier and to you know any of these third-party in-store analytics companies, right? Then the simple use of the phone, right? So the calling patterns, you know any of that information is available to you know law enforcement or whoever else can get access to these devices. Your use of the phone for things like apps as well is revealing of your information, right? So many of us use apps for day-to-day activity. I did a study with the journal showing you know testing the top 50 iPhone and Android apps and trying to determine what information they transmit when you use these apps. And again you find that obviously you send certain information to the first party when you use these apps. So if I'm using like I don't know Yelp, I send Yelp some of my location information. But I also send my location information and my unique device identifier, the thing that let's companies uniquely track my device to a bunch of third parties, right? So my favorite that I like to highlight is still in play, it's they still do it even two years later. It's this app called best alarm clock, right? And it's one of the alarm clock apps for iPhone. Anytime you run the alarm clock or the alarm if you've set it to go off, anytime the app runs it sends your precise lot long and your identifier to a bunch of third parties, right? In clear, right? So you've effectively now are giving your location information not just to the carrier, not just to Google, but also to a bunch of third-party ad networks or third-party analytics companies, right? And this is, again, precise lot long. And, you know, to the degree that you think some of these companies like AT&T and these guys might push back on on warranted requests for your information, that may or may not be true. I think it's actually not true, but a five-person startup in the Bay Area that has a small analytics, you know, company they're not going to have an on-staff attorney to push back and protect your these requests from law enforcement, right? And they, again, receive precise lot long. We found that, you know, 47 of the top 100 apps send your location information and 56 of the top 100 send your unique device ID. And so this information is available, you know, to a bunch of different parties just by you using your phone. I think that exposes it. This is a little graphic showing kind of the mobile display advertising landscape. So every single one of these companies receive some information from the use of your device, at least your IP address, right? Some receive your, you know, your unique device IDs, etc. And any one of these can be subpoenaed or kind of your information could be requested from these companies. This is kind of another way to visualize the space. If you look across, so if you look across the top, it's simply that the number of people that receive your location information, so the location providers, this is like when you are using your phone just on Wi-Fi, you're requesting nearby Wi-Fi hotspots. You're actually sending that information to Google and Apple to triangulate you. Your carrier is getting it. Then your carrier is sending it over to, on the top right, there's a few location aggregators. These are location labs and these guys that provide APIs for your apps to get your location information. So this is another player in the space that has view into all four carriers and your location information across all four carriers. Then there's, on the right, you get the actual third-party websites. These are the apps. These are like Yelp and Pandora and these guys. And then at the bottom, you get the actual advertisers and analytics. So every single one of those, except for the GPS satellites, get your location information simply by your use of the device. Right? So that's a kind of a broad attack surface in terms of I want to know your information. And in terms of your ability to stop this stuff, it's kind of limited, right? So a lot of these services that get location, you cannot turn off, right? So the issue with the Apple logging was that even when you said do not track my location, that data was still logged on your phone. Other things like photo information that logs your, you know, the location information logged in photos, you can't really disable and next version of iOS might have it. But to some degree, apps have free access to photos and therefore your location information in those photos without any permission model on both platforms as of now. And some of the other kind of location information around, you know, device analytics like carrier IQ or kind of preloaded apps that, you know, when you buy a Verizon phone, you have no ability to block or turn off, right? So it's kind of a wild landscape in terms of your control or your ability to limit the disclosure or recording of your location information. And I'll kind of hand it over to Chris to discuss how often and how frequently this stuff is accessed. Thank you. So it's really, really difficult to figure out what the phone companies do. It's really difficult to figure out what the government can get from the phone companies. And I've spent the last six years of my life trying to figure out how much the government spies on us and how they force the companies to whom we entrust our private data to facilitate the surveillance. If you visit the websites of the phone companies and the email providers in the privacy policy, you'll see vague statements about how they care about your privacy. But you won't find any details about actually how they process the requests and what legal standard they insist on. And for most companies even how many requests they get. And so the method that I've used to get data for the past three or four years later into the project were sort of three methods. So the first is that I filed countless FOIA requests, which by the way is really, really easy to do and I highly recommend it. If you have a blog, you can usually claim that you're a member of the press and not pay any fees. So that's the first method. The second method is I've snuck into places I shouldn't be. I went to a surveillance industry conference in 2009, commonly nicknamed the Wiretappers Ball, where I was able to hear from many telephone company employees, figure out what they were doing. And then the third and most fruitful method has been to actually go out drinking with the lawyers who work for these companies. And it turns out that they really just like having someone listen to what they do at work all day. So let's talk briefly about what happens at these firms and what they're able to provide. And what I want you to understand, more important than anything is that the phone companies are not going out of their way to spy on you. It's just sort of, it's the cost of doing business. If you want to be in the business of providing telecom services and you're using spectrum given to you by the government, then various federal agencies have leverage over you. And if you don't play by their rules, they take away your spectrum or they block the installation of towers, they can make life very, very difficult. And so the phone companies have to go along. And protecting your privacy is really not that good for business. The money, I mean, although you may think the profits that the phone companies make are obscene, the amount of money they'd have to spend to even push back on a request would likely wipe out the profits they'd make from you for a few years. And so there's just really no incentive for them to do so. But let me at least talk about what's possible. So largely I'll focus on location data. So we all carry cell phones right now and the phones are constantly transmitting to towers, particularly if we have smart phones and there are data connections. The government can get three types of location data. They can get historical, actually four types, they can get historical single tower data. They can get real-time single tower data, real-time triangulated data, which is based off of multiple towers in some cases, and then real-time GPS data for phones that have GPS chips. Several maybe a decade and a half ago the FCC forced or Congress passed legislation and the FCC forced the carriers to provide E911 location capabilities. So this meant that the carriers had to be able to provide upon request location information of a certain degree of granularity. But the FCC left it to the carriers to figure out how they're going to implement that. And the carriers basically split along the CDMA and GSM path. So the GSM providers in the US, which is AT&T and T-Mobile for the most part, they decided to go with estimated time of arrival data. So they installed this box on every tower. It's usually made by a company called True Position. And this triangulates the location of your device. It works indoors and it works outdoors and it doesn't require the assistance of any phone in the field. I mean it's fairly sophisticated technology. So they decided that they would go with that path. Verizon and Sprint decided that they didn't want to do that. And instead, they put GPS chips in every phone. Whether the phone costs 20 bucks or $500, Verizon and Sprint just put GPS chips in the devices. And then upon request, the phone companies can locate individuals. Why does this matter? Why this difference? Well, not every device on the Sprint and Verizon network can provide GPS information. The E911 rules only apply to telephones that you can use to call an ambulance during emergency. And your laptop or tablet or other data device cannot be used to make calls. And so Sprint and Verizon do not provide E911 capabilities for those data devices. What this means is that when the government wants to locate a data-using user, a data-using device in real time, they're not able to for those two networks. So what does this mean? The government and Catherine will walk through the sort of insane legal standards that exist and the ease with which the government can get certain types of data. But what you need to understand is that the government is obtaining vast amounts of location data. Normally there, well, it's much easier to obtain the historical information and the cell phone companies are just creating it and compiling it and saving it. So it's just sort of there sitting around. Whereas for the prospective information, the real-time information, the GPS or triangulated data, the government has to ask beforehand. And so you already have to be under suspicion for the government to ever get that kind of data. So it's much easier for them to get this historical stuff. So the companies are receiving all these requests. They're essentially flooded with requests and the companies receive so many requests that they have teams of people working 24 hours doing nothing but responding to surveillance requests. The numbers vary by carrier and the carriers have just recently made stats available because of a letter sent by a member of Congress. What we do know is that the total number of requests by U.S. carriers is approximately one and a half million a year. Sprint receives by far the greatest number of requests of any cell phone company. They receive 500,000 subpoenas alone. That doesn't include wiretap orders. That doesn't include requests for location data. That doesn't include text message information just subpoenas, which Catherine will probably explain what those can obtain. My guess for why Sprint receives one third of the requests nationwide is that Sprint has basically cornered the market in prepaid cell phones. If you're using Boost, if you're using Virgin, if you're using several other prepaid carriers, they're likely using Sprint's network and prepaid phones are popular with low income people, the young, the poor, people living in urban areas who are more likely to be the subject of government investigations. I'm not saying they're more likely to be criminals, but they're certainly more likely to be the subject of investigations and so I think that at least partially explains why Sprint receives so many requests. All right, so Sprint's receiving probably 600,000, 700,000 total requests a year. They're the only company that's broken down the number of location requests they've received, which is 200,000 requests over the last five years, about 40,000 requests a year. That's a lot of requests for them to deal with and on top of the, you know, half a million subpoenas a year that they receive and so they have this gigantic team. They have about 200 people doing nothing but responding to surveillance requests and Sprint was so inundated with these surveillance requests that it ultimately decided that it couldn't cope. It could not cope with this flood of surveillance and so what did it do? It created a self-service portal, a website where a law enforcement could log in and get this information whenever they wanted. Now the government would have to satisfy the right legal process, but once they had met that process with the appropriate court order they could log in whenever they wanted. That website was set up in 2008, between 2008 and 2009, it was used to generate 8 million GPS data points. That's 8 million individual requests by law enforcement agencies. Now we don't know how many people that was. It could be the same person being pinged every second. But what you should understand is that when surveillance goes from a manual task to being an automated task, to being a self-service task, the number of requests goes up. Now the phone companies all charge for their assistance and they charge reasonable costs, whatever that tends to be. And over the years, as surveillance has gone from a manual task, from someone sitting down at a keyboard and typing in an individual request to being a wholesale, all you can use, a model, the costs have plunged. And so just, I think, seven or eight years ago Sprint Nextel charged $150 per GPS ping. Right? If they'd charged $150 for the 8 million requests that they'd received, that would be $1.2 billion. They would be in the black. They actually lost a lot of money. They've lost money over the last few years. They didn't make $1.2 billion from surveillance requests. And what's happened is they went from charging $150 per ping to charging $30 a month all you can eat for surveillance. So the police can literally sit at their desk from the comfort of an air-conditioned office. They can track you as you move about your daily life. Well, why does this matter? It matters because the government has scarce resources. There are only so many agents who can be tasked with surveillance. And when it takes 10 or 20 FBI agents to tail a suspect as they drive around town, the government has to figure out who it's going to spy on, who is important enough to warrant that team of 20 agents. But when a single agent can track 300 people from their desk just by typing an additional command in at a keyboard, well, then the government doesn't have to think as hard about who it wants to spy on. Right? Then anyone who appears on their radar is enough to get on their request list. All right, so to wrap up and before I pass here with my colleague, I also want to talk briefly about the sketchier areas. So we know that the government is obtaining historical location data. We know that they're obtaining real-time location data. We know that they're tracking people in real-time. We know that in some cases they have Google Maps type interfaces on our desktops with little dots blinking around. We know that. The scary stuff that we don't know very much about right now relates to what are called cell tower dumps. So rather than the government saying, you know what, Ashkan is really sketchy. We're going to spy on him. They say, you know, the people who are near this 7-Eleven, they're really sketchy. So we're going to ask the phone company for the information about everyone who's been near a particular tower in a given hour or two or day period. That's hundreds, if not thousands of people. And most of these people are innocent. In fact, the vast majority of these people are innocent and their information ends up in databases. So the sort of wholesale dragnet type location surveillance is definitely something that is scary, but we know very little about. The other really concerning thing is something called a community of interest request, which is that if you are under surveillance, the government will typically get information by everyone that you've called and everyone who's called you. We know from a recent letter that Sprint sent to a member of Congress that when they hand over location information, they hand over location information about both sides of the call if both sides are using Sprint service. So if I'm being monitored by the government, your location information gets handed over if you call me. So there are some really, really sketchy things happening. We don't know very much. I'm currently litigating my own lawsuit against the Department of Justice to get some PowerPoint slides about their current and cutting edge methods of location surveillance. There are several other lawsuits going by several groups and hopefully we'll get a bit more information. The last thing I'll mention before I pass it over, Ashkan teed this up. Several of you, I hope, in fact, all of you should use encryption on your smartphone if it's available. Certainly the latest version of Android offers this encryption. You should certainly be using it on your laptop. So the question that I want you to think about, and I have the answer, but it's a really unfortunate and depressing answer, but think about this. You're arrested by the police or you go through a border and the government grabs your cell phone and they want to see what you're doing. They want to see what's on there and you have some passphrase and so the data is encrypted. What do they do? Well, if it was your laptop, if you're using TrueCrypt on your laptop or File Vault on your Mac, they'd be out of luck. Maybe they could force you to hand over your password or maybe they could try and force it, but those are the only real options they have. With your cell phone, the smartphone vendor, the platform vendor, Apple or Google, they're in a position to undo the encryption. So the way it works, it varies by the two major platform providers. Apple appears to have some kind of master skeleton key and so the police send the encrypted phones back to Cupertino and the folks at Apple will clone the data off of the phone and then send the police a DVD with the data from the device and then send it back so the police never get access to your phone, but they do get all the data off of your phone. My understanding is that Apple insists on a warrant. It took months of begging and bullying before Apple finally told me this. Google is different. Google doesn't have the devices sent back to their headquarters. Instead, what happens is that the police ask Google to change your password. So what happened? If you enter the wrong password into an Android device a few times, it locks you out and the only way you can get back in is by entering the full Gmail address and password. And so what Google will do is change the password to a new one, which they can then give the police. The police get in and then Google change the password a second time so that your email won't sync and the police won't be able to do ongoing surveillance of you. But in any case, what I want you to understand is that both Apple and Google provide access to encrypted smartphones. And so if you think your smartphone disencryption is enough, you're wrong. All right, thank you. So hi. I'm going to talk about some of the legal protections that you are entitled to for your location information when the government comes seeking for it. I work at the ACLU and I spend my time challenging government surveillance programs and location information has been one of the most pressing issues we've been dealing with for the last several years. And unfortunately, I'm going to continue on the theme that Chris just struck, which is that the legal protections for this type of information are both uncertain and inadequate. Technology has been changing incredibly rapidly. And I think it's worth pointing this out, right? We just learned from a bunch of letters that Congressman Markey sent. He requested information from the cellphone companies and learned that the cellphone companies get 1.3 million requests for data a year. What is so striking about that is that 20 years ago, none of this data would have existed. How many of you, for example, had a cellphone in 1990? There's just a few hands up in the audience right now. Most of us didn't. And so the government and the FBI in particular frequently complain about the degree to which they're going dark. Their surveillance capacities are being stymied by encryption and other technological protections. But the reality is that this is the golden age of surveillance that we all create these vast data tracks that didn't exist before. And for the law, this creates some the relatively rapid nature of the way this has happened creates some real difficulties. The law tends to involve incredibly slowly. So for example, the telephone was invented in the late 1800s. It was the 1928 before the Supreme Court first weighed in on the question of whether or not the government needs a warrant to wiretap your phone. And it reached the wrong conclusion. It held that it didn't need a warrant based on probable cause and it took until the 1960s for the Supreme Court to finally rule that if the government wants to listen in on your telephone conversation, it needs a warrant, right? You know, over 60 years that decision took. And so, you know, both the courts and the Congress have a lot of catch up to play to figure out how to deal with legal protections for the location information that we generate in vast quantities every day. There are a few different possible sources of legal protection, right? The courts can interpret the Constitution or existing laws to protect location information. Congress can pass a new law. You know, and there's a theoretical third source, right? Which is some sort of executive restraint, right? The executive can simply say, wow, we're, you know, we're not going to get this sensitive information. That's obviously not happening. So there's really just two possible sources. So I'm going to start out for reasons which will hopefully soon become obvious by talking about the Constitution and what it may mean for protection for your location data from mobile carriers. Ben started off by, the Constitution obviously of the Fourth Amendment protects against unreasonable searches and seizures. And the default rule is that if the government is carrying out a search, a constitutional search, it needs to get a warrant based on probable cause. Ben started out by mentioning the Supreme Court's recent decision in United States versus Jones. I'm going to talk about it in a little more detail because this provides the best sort of hope that the Supreme Court will find that you have a Fourth Amendment interest in your location information. A unanimous Supreme Court held that when you attach, when law enforcement attaches a GPS device to your car, that is a search under the Fourth Amendment. The case arose because the police wanted to track the movements of a nightclub dealer in Washington, D.C. They thought he was involved in drug dealing. They attached a GPS device to his car and they actually, they got a warrant but it wasn't a valid warrant for reasons I will spare you. So he moved to suppress the evidence. The government made the sweeping argument Ben alluded to earlier that location information simply doesn't implicate the Fourth Amendment at all. You have zero protections for your location information under the Fourth Amendment. And I think because of the extreme nature of that argument, the Supreme Court really took note of what the consequences of that would be and held that when they do that there's a search under the Fourth Amendment. But Jones actually concerns me a lot and it's because I am, it's because of what the decision doesn't say more than what it does say. And I am afraid that civil libertarians will see the court's decision in Jones and see that the court did something positive for protecting location privacy and will stop paying attention to this issue when really the decision doesn't go as far as we all wish it would. It leaves two essential questions unresolved. Number one, we know now that if you attach a GPS device to someone's car that is a search under the Fourth Amendment. But the Supreme Court explicitly did not address the question of whether it is the type of search that requires a warrant based on probable cause or whether some lesser standard will do. So the government in the past six months since the Jones decision was decided has filed briefs all around the country arguing that they don't need a warrant even after Jones to engage in this form of location tracking. It is sufficient if an officer has a reasonable belief that tracking your car will turn up evidence of wrongdoing. And they argue that they don't need to go to a judge. That is enough for the author to simply believe reasonably that a search will turn up evidence of wrongdoing. That standard in my opinion is pretty meaningless and toothless. I think the primary value of the Fourth Amendment is the fact that if you are carrying out an investigation you have to go to a judge a neutral magistrate and you explain why the search will turn up evidence of wrongdoing. And if all Jones means is that you have to think what you're doing is reasonable it's not going to mean very much at all. The second major unresolved question is how Jones applies to mobile devices, right? As Ben mentioned, the FBI for example says it's using 3,000 GPS trackers. It was using 3,000 GPS trackers at the time the Jones decision was issued. But there are a lot more cell phone tracking going on and it is not clear that the protections for location information against attaching a GPS device to someone's car are going to apply to cell phone tracking. And to understand why the decision is unclear you have to look at the majority decision. I mean the court unanimously held that there was a search but it didn't agree on the reason why there was a search and five of the justices led by Justice Scalia were very framed the issue in terms of a trespass, right? This is a common law trespass. An officer had to physically attach a device to your personal property and that trespassed on your property and when they collected information from it therefore there was a search, right? It is not that is obviously not how cell phone tracking works. The government goes to the company to get the information. And those justices said we will leave for another day whether or not it violates the Fourth Amendment to engage in purely electronic surveillance. So it's not clear that the good the court did in Jones for GPS tracking of cars will extend in any way to the mobile location tracking that the government finds much more useful. And in the law there are actually some good reasons to believe the government's argument the government continues to argue today that it does not implicate the Fourth Amendment to track a cell phone without a warrant based on probable cause or actually that they have to meet any Fourth Amendment standard at all. Catherine, do you want to explain what the government argues right now they can get? I mean what kind of location data they can get with a de-order and you'll explain this but what are the various standards for location data and when can they get it and is it one tower, multi-tower, GPS? Yeah, I'll get to that in a second. I'm going to talk about the statutory scheme in just a moment. But so under the Constitution the government believes that because there's no physical trespass when they want cell phone data that the Fourth Amendment is simply not implicated and they're continuing to make that country that argument around the country. There's also as Chris was just mentioning federal statutory law that provides some protection for your electronic data. The bad news is that this statute has not been updated since 1986, right? That was before the World Wide Web was invented and before people really used cell phones and it is not clear how that statute applies to location data. So for example the government argues that the government has taken a litigation position that when it wants to get historical cell phone location information under this outdated statute it is sufficient if it shows that that information is relevant to an ongoing investigation. Relevant and material to an ongoing investigation and it makes the same argument if it wants to engage in real-time single-tower tracking. They have taken the position that if they want to do more precise GPS tracking the Department of Justice recommends that law enforcement agents get a warrant based on probable cause. However, they don't can see that the Constitution requires them to do that. They're just sufficiently afraid that judges might conclude that they suggest that you generally get a warrant. So those are the sort of legal standards that apply under this statute. Yeah. So I just wanted to mention that in the wake of Jones we have been the ACLU and EFF and CDT and Epic and other organizations have been trying to find every one of these location tracking cases and make the arguments in favor of a warrant and probable cause requirement. But the battlefield often keeps shifting just as technology keeps shifting. So for example, right now we've been very focused on cell phone tracking. But there are other forms of location tracking. You know, when one form becomes less accessible, other forms become more accessible. And we've seen, for instance, automatic license plate readers popping up with greater frequency all around the country. So that's a brief legal overview. Ben, did you want to? Yeah, I want to clarify one point. So the government's argument here is that single tower data is so inaccurate. It's just, I mean, it's just a little bit of information. But it doesn't tell them which apartment you're in or which house you're in. The government's argument is that because single tower data is so inaccurate, they don't need a warrant to get it. And this may have been the case 20 years ago or 15 years ago when they first started making the argument. But they haven't adjusted their legal theories to the changes in technology. And so as consumers increasingly use modern smartphones that are data hungry, the carriers have had to respond to these surge in data usage by placing more and more towers in cities. And when you add more and more towers to a city, you have to shrink the coverage area around a tower. And so while the coverage area around a tower 10 years ago might have been five miles, today it could be a single mile or half a mile. And the government is still arguing that single tower data is not very accurate. In addition to this, many of you, if you have crappy cell phone service in your home, may have called up the phone company, threatened to quit or to threaten to cancel your contract. And then the phone company may have sent you a femto cell or Pico cell. These are small cell towers that will likely cover just your living room or your house. I get coverage in about half of my house with mine. And with these single towers, I mean, the location information from those single towers is your house. That is the full range of those towers. The government hasn't addressed this point specifically, but there are more femto cells and Pico cells out in the field now than there are regular towers. Now, obviously, you're more likely to be talking to a regular tower because their range is larger. But the government's theories really haven't matched up with the realities of self-entowered deployment. The density of self-entowers and the shrinking coverage area around them. So what I hear from these two presentations is that there are some real anomalies in the law. That the law really hasn't kept pace with technology. The Supreme Court says that information that you share with a third party is not entitled to Fourth Amendment constitutional protection. That includes information that your cell phone or mobile device is sharing all the time about your location. So Ashkan in one of his slides showed the five different layers, the five different kinds of corporate entities that might be collecting location information. Does anybody have any idea? Do either of you have any idea of what legal standard the government thinks it needs to meet to get that information from those? Are there differences between them? Would it be the same? I mean, I'll let Catherine chime in on the legal standard. But what I will say is that I don't think that the government needs to go to an app provider or an online analytics company to find out your information right now because the phone company has it and the phone company is going to put up less of a fight. Even though they have more money, the phone company has been doing this for 50, 80 years. They're used to playing ball. The people who respond to the request at the phone company are usually former government lawyers. Right? They're like, oh, hey, Joe, how are the kids? Da-da-da. Am I going to see you in a few weeks at the reunion? They're colleagues. And these are multi-round transactions. They're not going to rock the boat too much. So the government doesn't need to go to some ad service in order to get it. It can get it straight from a telecom. AT&T and to a lesser extent Google are your one-stop surveillance shop. And why waste your time with an analytics company? Let me follow up because obviously there's a big difference between AT&T and Google. It's Google's business model to collect this information as much data as possible. AT&T, we pay them $30, $40, $60 a month for the service. Does anyone on this panel suspect that the companies are thinking about or already monetizing location information? Or is this just something that they do for the government because of their close ties? The wireless carriers are prohibited from selling your location information without your consent. There's a specific section of the communications act. The carriers are very sensitive to claims that they're selling your location information or other data to the government. They argue that they just get enough money sufficient to pay their costs. And I actually think they're being honest. If you're receiving 500,000 requests a year and you have 200 employees doing nothing but responding to those requests, those employees all have mortgages and health insurance and it costs a lot of money to stop a huge surveillance team. So I don't think that there are huge sums of money that are changing hands here. I mean, the $10 million that AT&T gets from the government for providing surveillance assistance is the most pathetic drop in the bucket for them in terms of their overall revenue. You know, I think the carriers, though, could be doing a lot more to help the public understand the degree to which our location information is being given away. You know, it is commendable that they voluntarily complied with these letters they got from Congress Menorchi and disclosed recently how many surveillance orders they get. But in general, they've been quite tight-lipped and it actually took an ACLU public records FOIA effort in order to, for example, learn how long each of the major carriers retained historical location information on each of us. Right? And it varies substantially from company to company from six months to, in the case of AT&T, you know, all location information since July of 2008. And I personally think that if I'm paying a bunch of money for, you know, a cell phone, it would be nice to have access to basic information about what kind of privacy risks the company creates by retaining that information for, you know, months or even years at a time. So I have a question for Ashken because she knows more about technology than me. Let me ask you a question. All right, go for it. So one thing I think it's worth so while law enforcement may not go to analytics companies or these third-party services yet, if there is a standard for, say, GPS information, I think we are going to see law enforcement go for other forms of location identification. And so, Christy, you want to talk about the Skype IP address? Sure, there was a case maybe five or six years ago there was an American fugitive who was on the run. He disappeared. He was a, this is a white collar crime. And he logged in from an internet cafe in Sri Lanka using Skype and made a single one-minute call to one of his colleagues. And Skype handed over the IP address records of that call, which was sufficient to tip the police that he was in Sri Lanka. There are not that many Americans in Sri Lanka at any given time and so it was pretty easy for them to then locate him after. So sometimes even country-level location information is sufficient. So it depends on the purpose of the investigation but, you know, as we know with data mining, you can piece things together and so perhaps precise GPS location might not, you know, might have some protections down the line but we're going to find more and more that other types of location information might not have the same types of protection. So my question to you, you described how Google can push down apps onto the phone without any user knowledge or consent. You described how your GPS and other location information can be accessed. You, people do get told but there's no way to opt out of the government locating you. If you were king for the day and you could force the smartphone providers to change their systems and you could force the carriers to change their technical systems, what would you do to protect people's privacy and security better in the smartphone environment? Yeah, so I think the one thing that I would probably focus on, so I would do, there's two things you can do. One is for retroactive request for information, I would push on bigger, broader retention limits, right? So I think, you know, you've talked about cricket and how they don't log information and so if you don't have that information, law enforcement can't go and get that information from you. So you're saying that AT&T's seven year log retention period is too much? I mean, you know, you might think you might not, I mean... You guys use AT&T? Seven years, you cool with that? Yeah. Well what else for everyone on the panel? You know, what other pressure can consumers put here and what other pressure should consumers put here? So we talked about how the mobile carriers should be more transparent about how long they retain data and shouldn't retain it for as long as they do. You know, we've praised companies for putting out transparency reports that say how many times they get different kinds of requests. Google and Twitter have done that. We've praised Twitter because when they get subpoenas for customer records, they notify the users so that they will have an opportunity to challenge that in court, although courts have sometimes said that users don't even have standing to do that. What should we as, you know, customers and consumers be pushing these companies to do more of? Well, so I would say for this crowd, we as researchers and developers and hackers and whatever we call ourselves, highlighting some of these activities, right? This collection of information, the transmission of information, finding tasteful ways to demonstrate privacy exposure. So that means like, don't hack senators, but like you might wanna show that, you know, the senator when they're using their phone is revealing their location when they're going to the strip club. If you can make that case, I think, you know, senators are going to be, their eyes are going to be open and they're going to want to find ways to protect that information. That's typically how I find that people pay attention to issues is when it affects them. And so as people that are very capable, probably much more so than anyone on this panel, I would say, you know, if you have ways to demonstrate how sensitive information is being stored insecurely transmitted to people that would, and legally demonstrate this stuff. And generally would surprise most average consumers. I think that's a really good use of your time. I second that. So I think the most perverse aspect of the tracking debate and this and the surveillance state we live in, the really, the thing that bothers me the most, I think is really twisted is that if you get arrested and the government uses location information to find you or to build a case, you'll be told about it. If the government is reading your emails and somehow they find something, you know, problematic there and they use it to build a case and they arrest you and prosecute you, in the course of your prosecution, you will learn that the government was digging through your most private and sensitive affairs. But if you're innocent, if you've committed no crime and the government never charges you with anything, in so many of these requests and so many of these forms of surveillance, you never know about it. If Google hands over your search logs, you don't know about it. If the government obtains your cell tower location data, if they look through your emails, if they find out your credit card transactions or your public transportation records or your easy pass toll booth records, you never learn about it. And I think it's really, really messed up that the innocent in this country can be subject to surveillance and not know that it occurs. And I wanna be clear that under US law, for most forms of surveillance, unless the government specifically obtains an order prohibiting disclosure, companies are free to tell you. They just don't do it. It's bad for business. They don't wanna scare their customers. They don't wanna worry people. And frankly, they get no benefit out of doing so. And I understand that. I understand why the companies don't wanna do that. And I think we should change the law so that the government is required to tell you when they obtain your stuff. And that doesn't mean that they need to tell you the day that they request your records. Certainly that could frustrate a legitimate investigation, but at some point, whether it's six months or a year or two years down the road, at some point you should be told that the government was looking through your personal private files. And right now, you just don't know. I think that's a really excellent point when you start seeing numbers like 1.3 million records being accessed. The number of those people who are innocent has actually got to be quite substantial. And I just wanted to build off of Chris's point by talking about the mechanics by which the government gets these orders. Even when they go to court to get an order as sometimes required by the law, they generally do so in proceedings where the government is the only party. The government goes and says, I need this surveillance order to be granted for an investigation. And the defendant, of course, isn't told that they're about to be subjected to surveillance for good reason. The investigation is not going to be effective if the person is told that their cell phone is about to be tracked. But unfortunately, what this does is it subverts the adversary process. In general, judges get to listen to both sides of arguments before making decisions. And the surveillance requests the government has submitted have gotten broader and broader and broader over time. And the judges don't have anyone on the other side to help them understand it. So for example, there was a case we uncovered called United States versus SOTO, which was in Connecticut. And it ended up being an example of a case where the government submitted a request to engage in tracking, not just of the one individual they thought had engaged in wrongdoing, but of everyone else who had called that person's cell phone, which ended up being about 180 other people. And the judge simply signed off on this order. But these orders aren't clearly written. They're quite confusing and difficult to understand. And I think the way in which they're gotten just by the government without anyone else in court to make the arguments in favor of privacy is one of the reasons we've seen such a rampant expansion of surveillance. So now it's just those of us for whom one hour of this is not enough. And we'd like to invite questions and comments because we don't have a microphone for that. Those of you who are further back who wanna ask a question or make a comment, if you can move forward, and if people in the back can't hear it, I will repeat it. And I would just say that because we're still a sizable group of people could keep their questions or comments to a reasonable length of time. That would be very useful. So right here in the front. And if they end with a question, that would be really awesome. So the question was, can the panelists comment on the Department of Justice's shielding of companies from liability for disclosure of information about their customers? I think you're talking about the FISA amendment sites. Is that what you were, than one of the lawyers? You want to? Isn't this going to have the Supreme Court this fall? Well, yeah, some, I mean, you know, the ACLU has a broad constitutional challenge to the legality of the FISA amendments act that's going to be heard by the US Supreme Court at the end of October. I would just say, if you want more information about that, there is another ACLU panel at this conference tomorrow with my colleague, Jamil Jaffer, moderating and he is gonna be arguing that case and he's the real expert on this. So we'll also have Jim Bamford and Bill Binney of the NSA. Without getting into, just to respond, without getting into the legal issues, what I can tell you is that the carriers don't like the idea of being liable for their illegal assistance of the government. Unsurprisingly, right? And they lobbied extremely hard to get that law passed. They spent a lot of money. Carriers that still insist they didn't do anything, but they also spent lots of money to lobby for its passage. And you see, after those lovely lawsuits against the carriers, that they've insisted even more on lots of things in writing saying, we're not liable for any assistance. We provide, you see in the recent cybersecurity legislation's been proposed and revised several times and still hasn't passed. The key issue in the current cybersecurity debate is how much information can the communications companies provide about your information? How much of your information can they give the governments for cybersecurity purposes without ever being liable and being sued by their customers for doing so? And we should point out that even here, not every company went along with the government's demands that they engage in warrantless wiretapping and contravention of the statute. So it's another opportunity for us to say to companies, we want you to protect our legal rights when the government is asking us to do illegal things. Yes, sir. Do you make those slides available? Ashkan, will you make those slides available? There's a, yeah. How? Follow Ashkan on Twitter and he'll tweet a link to the slide at some point today. Or if you search for my name, I did a longer version of this talk at NYU. So it's just, Google my name and NYU and it's on Vimeo. So I talked to it as well. No, this was around mobile privacy. It's called everything I know about mobile privacy in 30 minutes. Anyone else? Yes, in the front. NSLs. Yeah, so this is the question. The question was about the use of national security letters, the authority which was expanded under the Patriot Act. Chris, do you want to talk about NSLs? As the non-lawyer, I can tell you a little bit. So the NSLs were expanded under the Patriot Act to allow the government to go to telecommunications companies and obtain certain kinds of customer records. And there's been significant debate about what the government can get with an NSL to say an internet provider. So there was a memo written by the Office of Legal Counsel which is sort of the internal lawyer within DOJ that specified what the FBI could and couldn't ask for with an NSL. And the issue that there is considerable debate around is whether they can ask for transaction records from internet providers, which is basically who you've emailed. Who you've emailed and when you've emailed them. Companies generally, the NSLs that are sent are usually gagged or usually sealed. And so companies are prohibited from disclosing that they've received them. There've been a couple cases where companies have fought to try and notify their users. But what we can talk about, what companies aren't able to talk about, even if they cannot comment on the NSLs they've received, companies can comment hypothetically about what they would hand over if they received an NSL. And so Facebook is the only company that I know of that has gone on record to say that if they receive an NSL, they will not hand over communications metadata. They will just hand over your name and when you signed up for service. Google, Microsoft, Yahoo, the rest still will not comment on this. And I think that they owe us an explanation. The statute is poorly worded and so they can get call records, call billing records from telephone companies but the statute doesn't really go into whether they can get that kind of information from internet companies or the analogous information. So DOJ would like to change the statute. In any case, we need more transparency. There are plenty of places where companies can tell us about the kinds of requests they receive or at least what they would hand over. Skype is another fantastic example of a company who's been extremely evasive recently in describing their wiretapping capabilities. There was also a great story in the Wall Street Journal about two weeks ago about an existing NSL and some analysis about who that company may be. And there's great data in that story as well so I would highly recommend checking that out if you're interested in this topic. Sir. Right. Do you know? I don't know if anyone's addressed that. The Supreme Court didn't get into that in Jones but when people discover them that seems, the next thing that happens is it seems to be two people come knocking on your door saying please give us our property back which I think people find awfully galling since they're saying, but you attach this to my car. Yeah. I think one of the funniest things with that was right after the US versus Jones decision we knew that there was 3,000 of these devices in the wild. The FBI turned off all of those devices and then had to request permission to turn them back on so they could go and find them. And so I thought that was kind of a funny. Yeah and the FBI actually at a conference in February the general counsel said, hey we have these two memos analyzing United States versus Jones and what it means for our surveillance, right? And we're raising questions which surprised me, like the Jones case actually involved a vehicle so they were saying, but does it apply to planes? Does it apply to boats, right? So we actually just filed a Freedom of Information Act request saying give us those memos because I think the public has a strong interest, the law in some sense only means what the government is willing to concede that it means. And so I think we all have a strong interest in understanding how the FBI actually believes that decision constrains its work. Did you have a question here, yeah? What I can tell you is the OnStar and Lowjack and those other services and also the ones you can buy from the Sky Mall to spy on your friends and family and loved ones and kids for like 200 bucks, they all use the cell phone companies for service, right? So for you to be able to disable the vehicle when it gets stolen, there needs to be a communications channel and that's using the phone company. And so, again, the phone company has been the first entity that the government goes to because it's the easiest. They're the ones that they're used to talking to. What I can talk about regarding OnStar, it's actually not OnStar, it's a related company. There was a ninth circuit case a few years back in this town in Las Vegas where the government wanted to monitor the communications or the conversations occurring in cars by a couple mafia guys who were smart enough to not talk on the phone. And so they were sitting in these luxury SUVs and having these sit-down conversations and the government tried to force the company that made the help I'm lost service, turn on the microphones remotely and then spy on the calls. So the courts, what? ATX technology. ATX sorry. So there was some good news and bad news. In that specific case, the government said that the company could not be forced to turn on the microphones but for one reason and one reason alone. And that reason was while the wiretapping was occurring, if you got into an accident, the 911 functionality wouldn't work. And the court said that they didn't trust the FBI to promptly notify the emergency services because that wasn't what the FBI specializes in. The court left the door open and in fact, sort of hinted that if the government could turn these devices into secret microphones while simultaneously preserving the functionality that customers are paying for, then surveillance might be okay. And so, you know, the trends, the theme you should get from that is that the services that you use can be used against you. And the company may not wanna go along with it, but when the request comes in, there's only so much the company can do to fight. And the best we can hope for ideally is, I mean realistically is for the company to just be honest and say this is what we're able to do. Then the consumers can at least evaluate and decide if the service is the right thing for them. But in answer to the specific question, Jones didn't answer that for two reasons that Catherine can get into, right? Yes, so they didn't answer it. And actually Justice Alito who wrote an opinion for four of the nine justices, ridiculing Justice Scalia's property-based trespass rationale specifically mentioned these on-star navigation systems and said, you know, what's really important here is that you don't expect someone to be tracking your movements for 28 days and hinging this entire constitutional analysis to a trespass rationale doesn't make any sense, right? And he mentioned the on-board navigation systems as one example of that. But you know, whether that would carry nine justices instead of four is another question. We do know that the government with some regularity is using on-board navigation systems in order to track people's movements. We don't have a lot of information about how frequently that happens, how the different companies cooperate and so on and so forth. And obviously these things, you know, on-star in particular collect a lot more information about you than just your location, right? How quickly did you break before that accident and so on and so forth? And so as Chris was saying, it's definitely something to think about. And the government would argue, even after Jones, that that information is being collected by a third party and so it wouldn't be the constitution that governs it, right? It would be some part of ECPA that governs it. They wouldn't necessarily need a warrant based on a probable cause, right? So maybe I'll just talk about the third party doctrine a little more expansively briefly, right? We keep talking about something called the third party doctrine and its origins are, you know, from a long ago and far away when the Supreme Court held that you have no privacy interest in your bank records, someone tried to argue that the personal checks that he had written to the bank were his financial records and therefore the government couldn't simply subpoena them from the bank because he had a fourth amendment interest in them. They needed a warrant based on probable cause and the Supreme Court said, sorry, no go, you're out of luck. These aren't your records, they are the records that you have voluntarily disclosed to a third party and therefore you have no privacy interest. The Supreme Court extended that rationale to the phone numbers you dial in a case called Smith v. Maryland. So if you type in a phone number, right, or if you call a phone number or someone calls you, the Supreme Court has said you have no privacy interest in that. If this doctrine is carried to its extreme, that means that in the digital era we will have no privacy in anything anymore because if you use Gmail or Yahoo for your email, it is all stored by a third party company, all of your location data is stored by a third party company. I think courts looking at the extreme consequences of that argument have pushed back on it. So for example, one federal appeals court has ruled, for example, that you have a privacy interest in the content of your email even though a third party has access to it. But this is the government's primary argument about location information as well. You chose to carry a cell phone, I remember reading one government brief in particular in which they said that anyone who doesn't wanna be tracked, there's a simple solution for those people, they can leave their cell phones at home, right? You sort of like wonder what world the government anticipates that we will inhabit if we don't wanna be subjected to 24 hour tracking. But this is one of the major arguments the government makes. Are there any other hands? Yes, right here in front. So the first battery, we're planning to do this on a number of topics but the first round of requests we did were on cell phone location data. 35 ACLU affiliates sent something like 380 requests to law enforcement agencies around the country about cell phone tracking. And so for the first time, we were able to establish that essentially every police department in the country tracks people's cell phones. You don't need to be a sophisticated department like in New York, you can be a small town police department, you're gonna be getting access to people's cell phone information. We figured out how long the carriers were retaining this information, we figured out that the legal standards are completely chaotic, right? In some parts of the country, police departments actually do get a warrant based on probable cause to track cell phones suggesting that it is actually compatible with legitimate law enforcement investigations, right? You can protect privacy and carry them out. We're about to launch another round of requests which are going to focus on the use of automatic license plate readers. That's actually happening this upcoming week on Monday. And I think that is the next big place that this is going to go because in major cities like Washington, D.C., in New York, it is essentially possible to enter or exit the city in a car without having your license plate recorded. It used to be that that information was then discarded after some period of time, now this stuff is being kept indefinitely and pooled into these state or regional or federal databases. We don't know where the money is coming from. It's probably coming from various federal government sources that are pushing out the dissemination of this relatively inexpensive technology, right? And so you can never just think, okay, we're going to solve the cell phone or car location tracking problem, right? There's always going to be, it is an eternal game of whack-a-mole. There's always going to be another field of play and that's the next one. And let me just comment on, so we've kind of used terms like the government and law enforcement and tracking and all this kind of stuff. It's kind of important to think about how this stuff actually happens, right? So we have a bunch of different entities from the NSA to the FBI to local law enforcement. And they also go to conferences like this in the same way that it's a false descriptor to think that everyone in this room has a complete command of all the possible tools out there and research tools with regards to security. And it's also kind of, it's also important to note that there might be some guy in some office in Arkansas that happens to have, happens to need location information for a particular case and happens to either have attended a conference and know how to get to the SPRIT API to get that data or happens to know a buddy at a different, that's managed to get location information from a different source like OnStar or whatever. And he's going to go through that process for his case, so it's not this big entity with a set of rules, it's that people are trying to solve a case and they're going to find and get information in whatever way they can. And they're going to follow standards, sometimes they're going to go around it, sometimes they have a buddy that's a PI that can get it for them, or sometimes they have a relationship with a particular ISP that they've done in a previous case and they can call them back up. So it's important to understand the human element and try to think about this stuff because it's not a blanket kind of entity trying to think of a framework. It's literally, I need this data, I'm going to go and get it for wherever I can and it's low hanging fruit, right? So like since SPRIT is currently the Amazon of location tracking, in the sense that everyone knows about them and they can just go to them. And so if you have a target that's a SPRIT customer, you're like, hell yeah, I know the URL for that thing and I'm going to go and buy some GPS. But I should also clarify, so what we know is about 1.5 million requests. So most of the carriers responded to Mr. Markey and gave numbers, T-Mobile refused to give Markey numbers and then about a week later they said they got about 190,000 requests that year. So we know it's about 1.5 million requests. Those are only law enforcement requests. That doesn't include a single intelligence agency request for the simple reason that the phone companies are not allowed to talk about those requests. They can at least give us a number. What they can't tell us the specifics of the requests they receive from police, particularly when the cases are ongoing, they can just tell us a number. But the requests that they receive in national security cases, the assistance they provide to NSA, that's deeply classified. And so- But we've learned a fair amount about an NSA setting up shop inside the telecoms, right? Well we know that the telcos gave wholesale access, several telcos gave wholesale access to NSA. We know that the FBI paid the phone companies to place telco employees in FBI teams so they could provide easy access, easy quick access to data. The FBI agents were writing down the names of people on Post-it notes and then passing them to the phone guys to just see if there's anything suspicious there. But what I wanna emphasize here is what we do know is only about law enforcement and the intelligence stuff is likely far scarier and happening, it's more likely to be in a wholesale manner. And the limiting factor here is not gonna be the technology, it's gonna be the law and the policies. So about four years ago I got a copy of some slides from a British surveillance company called Thorpe Glenn. And they provide an interface, a layer to Google Earth that telcos can install and work with the government to provide. And their demo used real-time data from Indonesia. And so they were giving the Indonesian authorities who had purchased the software basically had a Google Earth interface and they could zoom in and see dots on a map of 60 million cell phones. 60 million cell phones, dots on a map in Google Earth. To me, that's terrifying. So the guys at Thorpe Glenn, they're proud of it. The wonders of their technology. But what you need to understand here is the limitations are not on what is technically possible. It's what the phone companies are giving and what the government is asking for and the government feels comfortable doing. And also, of course, US law only really protects the communications of US persons if then. And anyone who's abroad, their data is really up for grabs. And so we should assume that there are millions more requests, millions more requests that we will never know about. And I certainly agree that the government isn't a monolith here. Different layers of the government are doing different things. And one of the ways we end up thinking about what the national security establishment may be doing actually depends a lot on technologists who can sort of now speculate about what it is technologically possible to do and then help make interesting conjectures about what may be happening. On the national security front, there's a man at the Cato Institute, Julian Sanchez, who came up with a very interesting idea about why the government might be just hoovering up vast quantities of location data and it's because it's one thing to change out your phone but you're pretty much going to live the same life no matter what. You're going to live in the same place, you're going to work in the same place. And so if you have access to mass quantities of location data, then you can potentially recreate people's movements even after they switch up their phones, because unless they go to really extreme measures, they're not going to be able to change the basic travel patterns of their life. And I agree that what the local police departments are doing is very pragmatically driven. They have crimes they're trying to solve and so they use the investigative tools available to them but I think what is so striking now is that what we're really seeing is the democratization of mass surveillance, right? You know, it used to be difficult in order to track someone. You had to assign officers to them. They had to physically follow them. That was resource intensive. Now anyone who can log on to this sprint portal can accomplish the same thing easily. My friend. So the question was in what situations can a company inform a customer that there's been a request for the customer's data and the flip side in what situations can a company not inform them? And it certainly varies significantly between whether it's a law enforcement in a national security investigation. I'll start and when I get it wrong, Catherine will jump in. So my understanding is that wire tap orders are gagged by default for the provider. Request for stored communications, your emails, your search records, that information, the government can obtain a request. The government can obtain an order from a judge that forces the provider to not tell you but the government has to go out of its way to ask for that and particularly when the government is obtaining your information with a subpoena, if the company threatens to tell you, the government then has to go to a judge and so the mere threat to tell you is often enough to force something that would otherwise not involve the courts to involve the courts and it's a really, really useful way. If companies just have a blanket policy of we will always tell our users when possible, that's a really good way of protecting users and we've seen companies, I think Twitter and Spyder Oak and a couple other companies have now adopted these formally. Yeah and Twitter in fact in New York got an order from the local prosecutor for a customer's records and the order said essentially you may not disclose and Twitter said the hell we can't and told the customer so that he would be able to challenge it. Now the problem for Twitter, you know their model, their idea here is to let their users have the information they need so that they can challenge the orders. Twitter doesn't wanna go into court hundreds or thousands of times a month or a year to protect its users data that would be an enormous expense for them. The problem is that the judge in New York ruled that the Twitter user didn't have legal standing to raise that challenge. It was a subpoena to Twitter, Twitter owned the information by its terms of service and so that the user himself didn't have legal standing to challenge it. That's a very dangerous ruling that we're gonna try to get overturned and the Twitter also was gonna try to get overturned on appeal. And Twitter got a lot of press about a year ago after they received the requests for information about a few individuals associated with Wikileaks including Jake Appelbaum who some of you might know and Twitter rightfully got praise for going out of its way to, they asked the judge to unseal the order and then the judge did and then those individuals were able to fight and what I wanna make sure that you understand is that Twitter has notified users in many less exciting and sexy cases. It's not just the front page stories where they've told their customers not just occupy protests. There was an exceedingly insane individual who made violent threats towards Michelle Bachman the crazy member of Congress and Twitter also told that disturbed individual about the request for his information. They really do seem to wanna tell their users whenever they can as opposed to selectively picking things when they involve high profile issues. So, can I just add one thing about how this works with cell phone information specifically? Back in 2007 I filed some Freedom of Information Act request with U.S. Attorneys offices around the country and I said give me the template like the boiler plate forms you fill out when you want cell phone records and at the bottom and each of every one of those forms at every U.S. Attorneys offices around the country there was language like and we have good cause to believe that if the customer learns about this then our investigation will be foiled, right? So it's just like the same like unthinking boiler plate that gets inserted in every like rental contract, right? You will arbitrate this in the Virgin Islands or whatever, right? And so judges just get these things in massive quantities, right? Because we know there's tons and tons of them and basically sign off on them, right? So you have to have a company like who's actually willing to fight back against this because all of the momentum is on the other side. They will simply, the government will simply submit these boiler plate forms and they will get stamped and so that's another way we're sort of dependent on our mobile carriers to stand up for our privacy. But not all judges will rubber stamp and there have actually been a small elite team of magistrates around the country who've revolted against DOJ's rather aggressive legal theories for surveillance and several judge, I mean, one of the leading judges in this pack is a federal magistrate from Texas and I don't wanna encourage stereotypes here but this isn't a judge from San Francisco, this is a judge from Texas and when a judge from Texas says that surveillance has gone too far I think we need to listen. That's true and those judges who've done that, right? I have tremendous, they're the heroes of this because we would, none of us would know about any of this that was going on if there weren't a handful of judges who like got these requests and looked at them and said, wow, this just doesn't seem right, right? But the magistrate judges who are signing off on these things are people who are generally, they have eight year terms, they have to be renewed, they're often former prosecutors themselves, right? And so although there are a small cadre of really skeptical judges who I think have done all of us tremendous benefits, that's not just a description that applies to the vast majority of people who are signing off on these orders. Yeah, I don't know the legal theory, I mean. So EFF is representing the talk of, unfortunately the OSCEEFF panel is right now so you're in the wrong room. What I can say is that that carrier, so the Wall Street Journal did a bit of sleuthing and I think they've figured out which particular carrier it is. Do you remember the name of it? Credo or something? Credo, so they're like the, they're a virtual carrier, they rent space on Sprint's network. They're like the carrier that advertise, they're the Whole Foods phone company. They donate money to green energy and they have a pack where they donate money to liberal causes. I mean, fighting the government's aggressive surveillance orders is sort of, it fits with their brand. The problem is they use Sprint's network so they can only fight so much because Credo knows who the user is, Sprint knows where they've been. Well actually, phone calls are governed by a statute that requires, if you want to listen to phone calls in real time if law enforcement wants to, they do need a warrant not because the, not in all circumstances because the constitution requires it, although it does, but also because that's very, very regulated. You know, on the other hand, think about how much is stored in the cloud. If you keep your diary in one of these and put it in your desk drawer at home, the government needs a warrant supported by probable cause to get into your house and if you keep it in a Google document, the third party doctrine theory at least is that the government can get it without a warrant. I think as Catherine said, as the implications of that become clearer and clearer to judges in the digital age, we'll see that the third party doctrine is on its last legs and for an indication of that, Justice Sotomayor in Jones wrote a concurring opinion for herself alone saying essentially that, that the third party doctrine is obsolete given how much information we don't even consciously share with third parties information that we certainly expect to be private and that it doesn't really make sense anymore and I think probably everyone on this panel agrees that sometimes in the next few years, we're going to see the Supreme Court take this up again in this context. Right, and I think that's a legacy so the phone call thing is interesting, right? It's a legacy of the judicial system or kind of the framework, like how many people here, for example, now make most of their plans through email and text or chat, even real time I am, right? Like over phone calls, like I know, I personally do, I suspect a good number of people here do, but that falls under a different standard because those communications are not voice, right? Even though they serve the same purpose and the same type of, and you guys can talk about the legal standards for it, but even a real time chat, for me, they serve the same purpose as a phone call, right? Instead of calling Chris, I'll just, I am him and say like meet me here, but that speech is not protected under the same standard as phone calls. So we are actually sort of lucky because we have a lot of data about law enforcement wiretaps. We have more information about wiretaps than we have of any other form of law enforcement surveillance request to a company and there's only 2,500 wiretaps a year. So of the 1.5 million requests that the phone companies receive, 2,500 of them are associated with wiretap orders or maybe a little bit more because there may be a single wiretap order that gets sent to multiple phone companies. The stats that are included, there's an annual report that's published by the courts and the stats are enlightening and maybe terrifying at the same time. Approximately 98% of the wiretaps are from mobile phones so the police just don't wiretap landlines anymore, landlines, business phones, there's no fax machine wiretaps anymore. The wiretap stats break out, interceptions of network communications, real-time network communications and I think there's less than three or four of those a year. So for the most part they're intercepting mobile voice communications in real-time. The other really surprising, but it makes sense when you think about it, thing is that about 85% of the wiretaps are for drug cases. So if you are killing people or engaging in bribery or arson, your chance of being wiretap is pretty small but drugs are the main source of wiretaps and one of the reasons for that, I think that will make sense to you is that wiretaps are expensive. When you need to have agents listening to months worth of phone calls, that's a lot of agent time, it's a lot of overtime, you have to pay the carriers. Wiretap, a five-month wiretap investigation can cost several hundred thousand dollars to the police department and that money has to come from somewhere and when the police bust a drug dealer, if they get four kilos of coke and 300 thousand dollars in cash, due to civil asset forfeiture laws, the police get to keep a significant portion of the money, they may share it with other agencies, so the DEA will take some portion, the local police will take some portion, but more so than any other case, any other kind of crime, drug cases tend to pay for themselves and so the drug cases tend to subsidize the wiretaps that occur there and there's not gonna be a pile of money to be seized in a murder case. So just to play off of that, I mean it's true that a lot of wiretaps happen in drug contexts, but I think the drug war is like where the money for innovation in electronic surveillance often comes from, right? I mean the DEA was like the nation's innovator when it comes to cell phone tracking too and so I think there's an interesting connection there. Do you wanna mention the committee's report? No, I'm just gonna say. And I also just wanted to respond to something that Ashkan mentioned earlier, I mean it is strange how incongruous these legal standards are, so for example it's been clear since the 1870s that if the government wants to take a first class letter out of the postal service and read it, it needs a warrant based on probable cause, right? But it's 2012 and we're having these legal discussions about whether or not email is protected by the Fourth Amendment, right? I think the human common sense reaction is but it's just content, right? If content is protected in the postal service, it ought to be protected under email, but the law doesn't always work that way and so we're having these conversations still. Any more hands? In this crowd, I see one over there. So the question is, have we been able to track over time, say in the last 10 years, how much more location data is showing up in criminal prosecutions? I will just say before I turn it over, Catherine was on a panel at the Penn World Voices Festival in New York a few months ago with a British science fiction writer and he described a case in the UK, a murder case in which someone was convicted basically only using location data without any eyewitness, without any direct evidence. All sort of circumstantial location data by itself was enough to solve and successfully prosecute this case and that's something you couldn't have seen 10 years ago but does anyone want to make more than the obvious point that there's a lot more of it now than there was 10 years ago? I just don't think we know very much about how many requests are happening right now in terms of how many of those 1.5 million are location requests. We certainly don't know how many they were receiving 10 years ago. The wireless carriers do say that the requests they receive go up about 10% every year. And if one of us were a criminal defense lawyer, we would be able to tell you anecdotally that cases are being built on this now more than they used to be. But what I know about this is just from watching the wire like the rest of you. Yes. So, do you have any information about people who jailbreak their phones and install ultra-pronged so that they have more or less vulnerability in terms of location tracking? That's for the technologists. I mean, so like there are mods for Sanogen that restrict transmission or let you spoof your location information for things like the use of apps, right? That doesn't affect the type of request we're talking about here from the carrier. So if you're still using Sprint's network or T-Mobile's network or whoever, you're still maintaining a GSM connection or a CDMA connection to the towers and the towers can't identify you which is accessible to law enforcement. So perhaps you then turn off data plans and this kind of stuff and only use it on Wi-Fi. Sure, maybe, but that's less to do with the ROMs itself. The other thing to think about, and it's kind of this kind of double-edged sword with a lot of the custom ROMs, is one, you often use untrusted sources and you expose yourself to other security risks. And two, you don't often get the latest patches, right? So things like, you know, some of the SSL cert stuff or some of the kind of the new features in Jellybean won't be available in some of the custom ROMs. So it's kind of like, you use it at your own risk if you know what you're doing, otherwise you might actually inadvertently be creating a different type of attack surface protecting from the ones you know about and introducing ones you don't. I mean, what I'll say is that right now the laws of physics don't really allow you to communicate with the cell phone company and not have the tower know approximately where you are. Right. There's no way to hide the direction you're sending your signals from the tower. If you're using mesh networking or you're bouncing your signal through some other device, then you're doing that. But the tower is always gonna know which direction it's receiving the signal from. It's gonna know the approximate strength of the signal. I mean, there's some degree of approximation that the tower can guess. So the Ninja guys just did this fun little experiment which is I think a good example of how to decentralize, for example, off a tower. And so maybe that's the way to go. I recently had an idea which if anyone wants to implement would be awesome, which is who's familiar with Google sharing Moxies thing that lets you share cookies. So like, so like, so all four of us would be using Google sharing at the same, and at any time Google would not know which one of it it is making the request or visiting the webpage. With software now, for Soft Sims and software radio now, you can do some stuff, some fun stuff around swapping your, your IMZ and your kind of your SIM card kind of profile. And so one fun experiment could be getting 50 people on this room to sign up to all you can eat carrier. So like something like, what's the one called? Straight talk, $50 unlimited data and limited voice. So you get 50 of those plans and you then randomly assign an IMZ for each call. So you could never know which of those 50 people are making that call at any given time and therefore not know who is at what location. Right, so you lose the ability to take inbound calls, maybe you can solve that through some other back channel. But you could try to do things like get around this problem that Chris highlighted which is how do you maintain a connection to the existing infrastructure and still protect your location information? Will you repeat the question, Chris? The question is what kind of intercept capabilities exist with Google Voice? And I'll even extend that question to Google's video conferencing service. Is that HODL or Hangout, I forget. Whatever it's called. I've been asking Google for months about what their intercept capabilities are and they won't comment. They just say they comply with all lawful requests and they push back on requests they think are inappropriate. Again, I think that companies like Google, particularly companies like Google that claim to put their users first and blah, blah, blah. I think that they have an obligation to at least be upfront and say this is what we can do. And if they can in fact record your video chats in real time and later provide that information to the government, I think they should tell us. Certainly given that Google Voice is communicating on the regular telephone system, I suspect that they're required. I suspect that they fall under clear. That's my guess. But they just won't talk about it and I think that's highly problematic. And then you just did a post about Skype as well. Yeah, I mean, there's been so much speculation over the past few months. It's been growing in the last couple of weeks about what Skype can and cannot do. And the company is very careful in its statements. They appear to be written by a hybrid team of lawyers and PR, which is the worst combination. They say that they use encryption. We don't know very much about how they do the key exchange and certificates and other things. I mean, I personally wouldn't use Skype for anything that I didn't want the government to hear. So we have about five more minutes, but we can wrap up if there are no more hands. Am I missing any? Any other questions? I don't think so. We want to thank our first audience, our middle audience and now our third audience for indulging us up here. Thanks very much.